The Legal Aid Agency (LAA), a Ministry of Justice-backed civil and criminal legal aid and advice service covering England and Wales, has fallen victim to a cyber attack that appears to have led to the compromise of personal data on anybody who applied for legal aid through its digital service in the past 15 years.
The body said it first became aware of a cyber attack on its online digital services – used by legal aid providers to log their work and receive payment from the government – on 23 April 2025.
These services were quickly taken offline. Following this, working alongside the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC), the agency’s IT team took action to reinforce security while the wider LAA reached out to the providers affected.
The LAA’s investigation initially appears to have shown that only legal aid providers were affected. However, on 16 May, it became apparent that the attackers had dug themselves far deeper into its systems than was first thought and accessed data on legal aid applicants dating back to 2010.
This includes not just those facing criminal prosecution, but individuals involved in family law cases, victims of domestic violence, and more.
It said the data includes contact details and addresses, birthdates, national ID numbers, criminal history, employment status and financial data. According to the Guardian, the intruders have stated they have accessed 2.1 million data points, although this is not verified.
“I understand this news will be shocking and upsetting for people, and I am extremely sorry this has happened,” said LAA CEO Jane Harbottle.
Since the discovery of the attack, my team has been working around the clock with the NCSC to bolster the security of our systems so we can safely continue the vital work of the agency
Jane Harbottle, Legal Aid Agency
“Since the discovery of the attack, my team has been working around the clock with the NCSC to bolster the security of our systems so we can safely continue the vital work of the agency.”
She continued: “However, it has become clear that to safeguard the service and its users, we needed to take radical action. That is why we’ve taken the decision to take the online service down.
“We have put in place the necessary contingency plans to ensure those most in need of legal support and advice can continue to access the help they need during this time,” said Harbottle. “I am incredibly grateful to legal aid providers for their patience and cooperation at a deeply challenging time.”
The agency urged anyone who has applied for legal aid since 2010 to take immediate steps to safeguard themselves. As is frequently the case, the breadth of the data breached makes it useful to fraudsters and scammers involved in downstream cyber crime activity. Should the data be leaked, those affected may see an uptick in suspicious activity such as unsolicited text messages or phone calls.
No word yet on ransomware
The agency gave no indication as to whether or not it is dealing with a ransomware incident. Toby Lewis, head of threat analysis at Darktrace, said establishing the full facts of what has gone wrong would be the number one priority for the investigators.
“The Legal Aid Agency breach represents a significant but not unusual cyber incident facing public services today. Without confirmation of ransomware or system outages, we’re likely looking at either pre-ransomware exfiltration caught early or straightforward data theft. If it’s the latter, this could be as simple as misconfigured cloud storage or as complex as a nation-state operation targeting bulk personal data, similar to previous international government breaches,” he said.
“What’s crucial now is determining which scenario we’re dealing with to properly assess the broader implications for government digital security.”
Recent UK cyber attacks
A cyber attack at Marks & Spencer has caused significant disruption to customers, leaving them unable to make contactless payments or use click-and-collect services.
A developing cyber incident at Co-op has forced the retailer to pull the plug on some of its IT systems as it works to contain the attack.
Harrods confirms it is the latest UK retailer to experience a cyber attack, shutting off a number of systems in an attempt to lessen the impact.
Read more on Data breach incident management and recovery
